[jira] [Commented] (SCM-1028) Vulnerability: Clear text password is logged by JGit provider and by gitexe remoteinfo on a ls-remote failure

Sun, 25 May 2025 10:07:26 -0700 


    [ 
https://issues.apache.org/jira/browse/SCM-1028?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17953936#comment-17953936
 ] 

ASF GitHub Bot commented on SCM-1028:
-------------------------------------

mhoffrog commented on PR #237:
URL: https://github.com/apache/maven-scm/pull/237#issuecomment-2907948989

   Lessons learned - rules for PR merging:
   
   1. If one creates a commit hash deviating from the final commit of a PR 
before merging, then force push this commit hash to the PR branch first.
   2. Make sure in any case to merge the PR branches final commit hash to the 
target branch to let GitHub properly recognize the PR as merged to the target 
branch.




> Vulnerability: Clear text password is logged by JGit provider and by gitexe 
> remoteinfo on a ls-remote failure
> -------------------------------------------------------------------------------------------------------------
>
>                 Key: SCM-1028
>                 URL: https://issues.apache.org/jira/browse/SCM-1028
>             Project: Maven SCM (Moved to GitHub Issues)
>          Issue Type: Bug
>          Components: maven-scm-provider-gitexe, maven-scm-provider-jgit
>    Affects Versions: 2.1.0
>            Reporter: Markus Hoffrogge
>            Assignee: Michael Osipov
>            Priority: Critical
>              Labels: vulnerability
>             Fix For: 2.2.0
>
>   Original Estimate: 24h
>  Remaining Estimate: 24h
>
> *Issue(s):*
>  # {*}JGit provider{*}: If the git password contains special characters which 
> are differently encoded by the {{URI class}} than {{{}by 
> URLEncode.encode{}}}, then the password masking does not become effective and 
> the password is logged in clear URI encoded format by the jgit provider.
>  # {*}Gitexe remoteinfo{*}: In case ls-remote is failing, then a 
> {{ScmException}} is being thrown with the fetch URL passed as error message 
> containing the URI encoded clear password.
> *Root cause(s):*
>  # The URL encoding used for the credentials within fetch and push URL 
> differs from the encoding being used for masking the password at 
> [JGitUtils.prepareSession(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-jgit/src/main/java/org/apache/maven/scm/provider/git/jgit/command/JGitUtils.java#L149]
>  # Password is not masked for the exception message passed to the 
> ScmException used at 
> [GitRemoteInfoCommand.executeRemoteInfoCommand(...)|https://github.com/apache/maven-scm/blob/55186fdf42f65fd3a1be07161bc198f092386f77/maven-scm-providers/maven-scm-providers-git/maven-scm-provider-gitexe/src/main/java/org/apache/maven/scm/provider/git/gitexe/command/remoteinfo/GitRemoteInfoCommand.java#L59]
> *Solution:*
> [PR #237|https://github.com/apache/maven-scm/pull/237]



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

Reply via email to